US8225400B2ActiveUtilityA1

Security overlay network

82
Assignee: PACELLA DANTE JPriority: May 13, 2008Filed: May 13, 2008Granted: Jul 17, 2012
Est. expiryMay 13, 2028(~1.8 yrs left)· nominal 20-yr term from priority
H04L 63/1441H04L 2463/141
82
PatentIndex Score
11
Cited by
12
References
24
Claims

Abstract

A device receives an indication of detected attack traffic associated with a network, identifies a victim of the attack traffic, and selects a security platform for processing the attack traffic. The device also advertises a tunnel and routing tag information in the network for the selected security platform, receives the attack traffic via the advertised tunnel, and forwards the attack traffic to the selected security platform for processing. The device further receives processed traffic from the selected security platform, and forwards, via the network, the processed traffic to the victim.

Claims

exact text as granted — not AI-modified
1. A computing device-implemented method, comprising:
 receiving, via a tunnel device, an indication of detected attack traffic associated with a network; 
 identifying, via a tunnel device, an intended recipient of the detected attack traffic; 
 selecting, via the tunnel device, information identifying a security platform for processing the detected attack traffic; 
 advertising, via the tunnel device, a tunnel in the network for the selected security platform; 
 receiving, via the tunnel device, the detected attack traffic via the advertised tunnel; 
 forwarding, via the tunnel device, the detected attack traffic, to the selected security platform, for processing to obtain processed traffic; 
 receiving, via the tunnel device, the processed traffic from the selected security platform; and 
 forwarding, via the tunnel device and the network, the processed traffic, received from the selected security platform, to the intended recipient. 
 
     
     
       2. The computing-device implemented method of  claim 1 , further comprising:
 receiving, via the tunnel device and the network, valid traffic associated with the network; and 
 forwarding, via the tunnel device and the network, the valid traffic to one or more destinations associated with the valid traffic. 
 
     
     
       3. The computing device-implemented method of  claim 1 , where selecting, via the tunnel device, the security platform for processing the detected attack traffic comprises at least one of:
 selecting, via the tunnel device, traffic scrubbing as the security platform for processing the detected attack traffic, 
 selecting, via the tunnel device, sinkhole routing as the security platform for processing the detected attack traffic, 
 selecting, via the tunnel device, security traffic analysis as the security platform for processing the detected attack traffic, or 
 selecting, via the tunnel device, backscatter traceback as the security platform for processing the detected attack traffic. 
 
     
     
       4. The computing device-implemented method of  claim 1 , where advertising, via the tunnel device, the tunnel in the network for the selected security platform comprises at least one of:
 advertising, via the tunnel device, a Multiprotocol Label Switching (MPLS) based tunnel in the network for the selected security platform, 
 advertising, via the tunnel device, an Internet protocol security (IPsec) based tunnel in the network for the selected security platform, or 
 advertising, via the tunnel device, a generic routing encapsulation (GRE) based tunnel in the network for the selected security platform. 
 
     
     
       5. The computing device-implemented method of  claim 1 , where the detected attack traffic comprises at least one of:
 a denial of service (DoS) attack, 
 an excessive traffic and resource depletion attack, or 
 a routing or network control protocol attack. 
 
     
     
       6. The computing device-implemented method of  claim 1 , where receiving the detected attack traffic via the advertised tunnel includes receiving the detected attack traffic, via the advertised tunnel in the network, without the detected attack traffic being detected while the detected attack traffic is being transmitted, in the network, to the tunnel device. 
     
     
       7. The computing device-implemented method of  claim 1 , where advertising, via the tunnel device, the tunnel in the network for the selected security platform comprises:
 advertising, via the tunnel device, a next-hop of a tunnel end-point for a given route via a border gateway protocol (BGP). 
 
     
     
       8. The computing device-implemented method of  claim 1 , where the tunnel device comprises a split topology tunnel device. 
     
     
       9. The computing device-implemented method of  claim 8 , where:
 receiving the detected attack traffic via the advertised tunnel further comprises receiving the detected attack traffic via a first topology of the split topology tunnel device; and 
 forwarding the processed traffic comprises forwarding the processed traffic via a second topology, of the split topology tunnel device, that is different than the first topology. 
 
     
     
       10. The computing device-implemented method of  claim 3 , where the processed traffic is obtained based on the detected attack traffic being processed via the at least one of:
 the traffic scrubbing; 
 the sinkhole routing; 
 the security traffic analysis; or 
 the backscatter traceback. 
 
     
     
       11. A device, comprising:
 processing logic to:
 receive an indication of detected attack traffic associated with a network, 
 identify a device targeted by the detected attack traffic, 
 select information identifying a security platform for processing the detected attack traffic, 
 advertise a tunnel in the network for the selected security platform, 
 receive the detected attack traffic via the advertised tunnel, 
 forward the detected attack traffic, to the selected security platform, for processing to obtain processed traffic, 
 receive the processed traffic from the selected security platform, and 
 forward, via the network, the processed traffic, received from the security platform, to the device targeted by the detected attack traffic. 
 
 
     
     
       12. The device of  claim 11 , where the processing logic is further to:
 receive, via the network, valid traffic associated with the network, and 
 forward, via the network, the valid traffic to one or more destinations associated with the valid traffic. 
 
     
     
       13. The device of  claim 11 , where, when selecting the security platform for processing the detected attack traffic, the processing logic is further to at least one of:
 select traffic scrubbing as the security platform for processing the detected attack traffic, 
 select sinkhole routing as the security platform for processing the detected attack traffic, 
 select security traffic analysis as the security platform for processing the detected attack traffic, or 
 select backscatter traceback as the security platform for processing the detected attack traffic, 
 where the at least one of the traffic scrubbing, the sinkhole routing, the security traffic analysis, or the backscatter traceback is selected based on at least one of:
 a type of the detected attack traffic, 
 a location associated with the device targeted by the detected attack traffic, or 
 information identifying a user of the device targeted by the detected attack traffic. 
 
 
     
     
       14. The device of  claim 11 , where, when advertising the tunnel in the network for the selected security platform, the processing logic is further to at least one of:
 advertise a resource reservation protocol (RSVP)-based Multiprotocol Label Switching (MPLS) label switched path (LSP) tunnel in the network for the selected security platform, 
 advertise an Internet protocol security (IPsec) based tunnel in the network for the selected security platform, or 
 advertise a generic routing encapsulation (GRE) based tunnel in the network for the selected security platform. 
 
     
     
       15. The device of  claim 11 , where the detected attack traffic comprises at least one of:
 a denial of service (DoS) attack, 
 an excessive traffic and resource depletion attack, or 
 a routing or other network control protocol attack. 
 
     
     
       16. The device of  claim 11 , where the advertised tunnel:
 permits the detected attack traffic to be securely transmitted, in the network, to the device, and 
 prevents the detected attack traffic from being detected while the detected attacked is being transmitted, in the network, to the device. 
 
     
     
       17. The device of  claim 11 , where, when advertising the tunnel in the network for the selected security platform, the processing logic is further to:
 advertise a next-hop of a tunnel end-point for a given route via a border gateway protocol (BGP). 
 
     
     
       18. The device of  claim 11 , where the device comprises a split topology tunnel device. 
     
     
       19. The device of  claim 18 , where:
 when receiving the detected attack traffic via the advertised tunnel, the processing logic is further to receive the detected attack traffic via a first topology of the split topology tunnel device; and 
 when forwarding the processed traffic to the device targeted by the detected attack traffic, the processing logic is further to forward the processed traffic via a second topology of the split topology tunnel device that is different than the first topology. 
 
     
     
       20. The device of  claim 11 , where the processed traffic comprises at least one of:
 the detected attack traffic processed via traffic scrubbing, 
 the detected attack traffic processed via sinkhole routing, 
 the detected attack traffic processed via security traffic analysis, or 
 the detected attack traffic processed via backscatter traceback. 
 
     
     
       21. A system, comprising:
 a plurality of tunnel devices, each tunnel device, of the plurality of tunnel devices, being associated with a corresponding one of a plurality of security devices and at least one tunnel device, of the plurality of tunnel devices, comprising processing logic to:
 receive an indication of detected attack traffic associated with a network, 
 identify an intended recipient of the detected attack traffic, 
 select a security device from the plurality of security devices for processing the detected attack traffic, 
 advertise a tunnel in the network for the selected security device, 
 receive the detected attack traffic via the advertised tunnel, 
 forward the detected attack traffic, to the selected security device, for processing to obtain processed traffic, 
 receive the processed traffic from the selected security device, and 
 forward, via the network, the processed traffic, received from the selected security device, to the intended recipient. 
 
 
     
     
       22. The system of  claim 21 , where the processed traffic corresponds to first processed traffic, and
 where the processing logic of the at least one tunnel device is further to:
 forward a copy of the detected attack traffic, to another security device of the plurality of security devices, for processing to obtain second processed traffic; and 
 receive the second processed traffic from the another one of the plurality of security device. 
 
 
     
     
       23. The system of  claim 21 , where, when one of the plurality of tunnel devices is non-operational, the detected attack traffic is received by one of remaining one or more of the plurality of tunnel devices. 
     
     
       24. The system of  claim 21 , where the selected security device is associated with one of the plurality of tunnel devices other than the tunnel device that receives the detected attack traffic via the advertised tunnel.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.